Compared to intermediaries like Nothing and Beeper, iMessage is fort Knox.
And don’t get me wrong, I don’t trust Apple with a proprietary messaging app that only runs on a proprietary set of operating systems. But in theory, at least, their messaging protocol is sound-ish, and allegedly people have audited it and the server. So theoretically, unless iOS itself is insecure (and Apple has some incentive to make it that way) iMessage is at least moderately secure.
But this… From the outset, it was basically a known factor that you handed over your keys to some random company, they received and decrypted these otherwise encrypted messages, and then they sent them to you. In a best case scenario, they have all your stuff, but they picky promise to delete it.
If you’re security is as good as a pinky promise, then using the worst possible encryption to transfer your most important secrets should be a death knell for trusting the Nothing developers, and the white label solution they yanked up the shelf and slapped their brand onto.
It makes me question how serious the whole operation is.
Beeper is pretty good with it, as they make it clear that it’s insecure and use an encrypted protocol to get the messages to the server. Still, it’s better to host your own (which Beeper lets you do, as it’s just Matrix) or not use it.
Due to complexity and limited auditing a number of vulnerabilites have slipped through again & again, like zero-click exploits for example. Take a look at the sear volume of CVEs.
While they do eventually get found & patched, its not ideal compared to other messaging apps like signal that are very much security first, features 2nd.
A lot of people(normies), especially Apple users tend to think it’s super secure virtually impenetrable technology.
The sheer volume of cves is not necessarily an indicator for insecurity. The CVE system is pretty bad and rulings are mostly arbitrary. For example, there was a recent curl “CVE”, where an overflow happened in some part of the app which was not relevant to security. I don’t remember the details, but the only solution to this apperent mess was that the main contributor of curl is becoming one of the guys that evaluate CVEs.
CVE is a measure for the US government, and always assumes the worst in any case.
I know what curl CVE you’re referring too.
Yeah, that was pretty stupid, they marked it high severity when 1 It was already patched like a year prior and 2 it was a complete non-issue in the first place.
Then some fuckin AI put forth another bogus CVE based on the one you’re referring.
The curl dev was pissed, and rightfully so.
And You’re right, it’s more so the details of the CVEs that’s important then the actual CVEs themselves.
iMessage itself really isn’t as secure as some think.
Compared to intermediaries like Nothing and Beeper, iMessage is fort Knox.
And don’t get me wrong, I don’t trust Apple with a proprietary messaging app that only runs on a proprietary set of operating systems. But in theory, at least, their messaging protocol is sound-ish, and allegedly people have audited it and the server. So theoretically, unless iOS itself is insecure (and Apple has some incentive to make it that way) iMessage is at least moderately secure.
But this… From the outset, it was basically a known factor that you handed over your keys to some random company, they received and decrypted these otherwise encrypted messages, and then they sent them to you. In a best case scenario, they have all your stuff, but they picky promise to delete it.
If you’re security is as good as a pinky promise, then using the worst possible encryption to transfer your most important secrets should be a death knell for trusting the Nothing developers, and the white label solution they yanked up the shelf and slapped their brand onto.
It makes me question how serious the whole operation is.
Your security is actually worse than a pinky promise in that case because you also have to consider that they could be hacked.
Beeper is pretty good with it, as they make it clear that it’s insecure and use an encrypted protocol to get the messages to the server. Still, it’s better to host your own (which Beeper lets you do, as it’s just Matrix) or not use it.
How so?
Due to complexity and limited auditing a number of vulnerabilites have slipped through again & again, like zero-click exploits for example. Take a look at the sear volume of CVEs. While they do eventually get found & patched, its not ideal compared to other messaging apps like signal that are very much security first, features 2nd.
A lot of people(normies), especially Apple users tend to think it’s super secure virtually impenetrable technology.
The sheer volume of cves is not necessarily an indicator for insecurity. The CVE system is pretty bad and rulings are mostly arbitrary. For example, there was a recent curl “CVE”, where an overflow happened in some part of the app which was not relevant to security. I don’t remember the details, but the only solution to this apperent mess was that the main contributor of curl is becoming one of the guys that evaluate CVEs.
CVE is a measure for the US government, and always assumes the worst in any case.
That being said, I agree with you.
I know what curl CVE you’re referring too.
Yeah, that was pretty stupid, they marked it high severity when 1 It was already patched like a year prior and 2 it was a complete non-issue in the first place.
Then some fuckin AI put forth another bogus CVE based on the one you’re referring.
The curl dev was pissed, and rightfully so.
And You’re right, it’s more so the details of the CVEs that’s important then the actual CVEs themselves.